postfix sender restrictions – job NOT done

OK, I admit to being dumb. I got another scam email yesterday of the same formulation as the earlier ones (mail From: me@mydomain, To: me@mydomain) attempting to extort bitcoin from me.

How? What had I missed this time?

Well, this was slightly different. Checking the mail headers (and my logs) showed that the email had a valid “Sender” address (some bozo calling themselves “susanne@mangomango.de”) so my earlier “check_sender_access” test would obviously have allowed the email to pass. But what I hadn’t considered was that the sender might then spoof the From: address in the data portion of the email (which is trivially easy to do).

“Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn’t own the MAIL FROM address according to $smtpd_sender_login_maps.”

Now since I store all my user details in a mysql database called “virtual_mailbox_maps” it is simple enough to tell postfix to use that database as the “smtpd_sender_login_map” and check the “From” address against that, That way only locally authenticated valid users can specify a local “From:” address. Why I missed that check is just beyond me.

(Note that I chose to use the “reject_unauthenticated_sender_login_mismatch” rather than the wider “reject_sender_login_mismatch” because I only care about outside unauthenticated senders abusing my system. I can deal with authenticated users differently…)

Now let’s see what happens.

Permanent link to this article: https://baldric.net/2019/02/16/postfix-sender-restrictions-job-not-done/

2 comments

How would this affect mailing lists?
i.e. If you were to send newsletters from Mail Chimp or Constant Contact, and the “from” address on that newsletter is your domain. If I’m understanding this parameter correctly, then if ‘reject_sender_login_mismatch’ is enabled, then those newsletter emails would be blocked.

I considered this point before I made the change because I am a member of several mailing lists (tor-relays, tor-talk, alug, etc.) and I didn’t want mail to be rejected. Fortunately, well run mail lists using decent software (such as mailman) always send mail to list members from the list itself rather than just relaying the mail out unchanged. So for example, I get email from the anglia linux user group with the sender set as “main-bounces@lists.alug.org.uk”. Thus postfix sees the connection from the external server with a valid external sender address. See for example this recent exchange:

psp

random

“Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.”